ALIYUN::CLOUDFW::ControlPolicy類型用於添加存取控制策略。
文法
{
"Type": "ALIYUN::CLOUDFW::ControlPolicy",
"Properties": {
"ApplicationName": String,
"DestPortType": String,
"Direction": String,
"Destination": String,
"Description": String,
"Proto": String,
"AclAction": String,
"Source": String,
"SourceType": String,
"DestinationType": String,
"NewOrder": Integer,
"DestPort": String,
"RegionId": String,
"DestPortGroup": String,
"Release": Boolean,
"RepeatType": String,
"StartTime": Integer,
"RepeatEndTime": String,
"DomainResolveType": String,
"IpVersion": String,
"RepeatDays": List,
"EndTime": Integer,
"RepeatStartTime": String,
"ApplicationNameList": List
}
}屬性
屬性名稱 | 類型 | 必須 | 允許更新 | 描述 | 約束 |
AclAction | String | 是 | 是 | 存取控制策略中設定的流量通過Cloud Firewall的方式。 | 取值:
|
ApplicationName | String | 否 | 是 | 安全性原則支援的應用類型。 | 取值:
|
Description | String | 是 | 是 | 安全存取控制策略的描述資訊。 | 無 |
Destination | String | 是 | 是 | 安全存取控制策略中的目的地址。 | 取值:
|
DestinationType | String | 是 | 是 | 安全存取控制策略中的目的地址類型。 | 取值:
|
Direction | String | 是 | 否 | 安全存取控制策略的流量方向。 | 取值:
|
NewOrder | Integer | 是 | 是 | 安全存取控制策略生效的優先順序。 | 優先順序數字從1開始順序遞增,優先順序數字越大,優先順序越低。 重要 1表示優先順序最高,-1表示優先順序最低。 |
Proto | String | 是 | 是 | 安全存取控制策略中流量訪問的安全性通訊協定類型。 | 取值:
|
Source | String | 是 | 是 | 安全存取控制策略中的源地址。 | 取值:
|
SourceType | String | 是 | 是 | 安全存取控制策略中的源地址類型。 | 取值:
|
DestPort | String | 否 | 是 | 安全存取控制策略中流量訪問的目的連接埠。 | 當DestPortType為port時,設定該項。 |
DestPortGroup | String | 否 | 是 | 安全存取控制策略中流量訪問的目的連接埠地址簿名稱。 | 當DestPortType為group時,設定該參數。 |
DestPortType | String | 否 | 是 | 安全存取控制策略中流量訪問的目的連接埠類型。 | 取值:
|
RegionId | String | 否 | 否 | 地區。 | 取值:
|
Release | Boolean | 否 | 否 | 存取控制策略的啟用狀態。 | 策略建立後預設啟用該策略。取值:
|
RepeatType | String | 否 | 否 | 存取控制策略的策略有效期間的重複類型。 | 取值:
|
StartTime | Integer | 否 | 否 | 存取控制策略的策略有效期間的開始時間。 | 使用秒級時間戳記格式表示。必須為整點或半點鐘時間,且小於結束時間至少半小時。 說明 當 RepeatType 為 Permanent 時,StartTime 為空白。當 RepeatType 為 None、Daily、Weekly、Monthly 時,StartTime 必須有值,您需要設定開始時間。 |
RepeatEndTime | String | 否 | 否 | 存取控制策略的策略有效期間的重複結束時間。 | 例如:23:30,必須為整點或半點鐘時間,且大於重複開始時間至少半小時。 說明 當 RepeatType 為 Permanent、None 時,RepeatEndTime 為空白。當 RepeatType 為 Daily、Weekly、Monthly 時,RepeatEndTime 必須有值,您需要設定重複結束時間。 |
DomainResolveType | String | 否 | 否 | 存取控制策略的網域名稱解析方式。 | 策略建立後預設啟用該策略。取值:
|
IpVersion | String | 否 | 否 | Cloud Firewall防護的資產的 IP 版本。 | 取值:
|
RepeatDays | List | 否 | 否 | 存取控制策略的策略有效期間的重複日期集合。 |
說明 RepeatType 設定為 Weekly 時,RepeatDays 不允許重複。
說明 RepeatType 設定為 Monthly 時,RepeatDays 不允許重複。 |
EndTime | Integer | 否 | 否 | 存取控制策略的策略有效期間的結束時間。 | 使用秒級時間戳記格式表示。必須為整點或半點鐘時間,且大於開始時間至少半小時。 說明 當 RepeatType 為 Permanent 時,EndTime 為空白。當 RepeatType 為 None、Daily、Weekly、Monthly 時,EndTime 必須有值,您需要設定結束時間。 |
RepeatStartTime | String | 否 | 否 | 存取控制策略的策略有效期間的重複開始時間。 | 例如:08:00,必須為整點或半點鐘時間,且小於重複結束時間至少半小時。 說明 當 RepeatType 為 Permanent、None 時,RepeatStartTime 為空白。當 RepeatType 為 Daily、Weekly、Monthly 時,RepeatStartTime 必須有值,您需要設定重複開始時間。 |
ApplicationNameList | List | 否 | 否 | 應用程式名稱。 | 無 |
地區編號
中國和海外地區編號
地區 | 編號 |
中國 | ZD |
海外 | ZB |
中國編號
地區 | 編號 |
北京市 | BJ11 |
天津市 | TJ12 |
河北省 | HB13 |
山西省 | SX14 |
遼寧省 | LN21 |
吉林省 | JL22 |
上海市 | SH31 |
江蘇省 | JS32 |
浙江省 | ZJ33 |
安徽省 | AH34 |
福建省 | FJ35 |
江西省 | JX36 |
山東省 | SD37 |
河南省 | HN41 |
湖北省 | HB42 |
湖南省 | HN43 |
廣東省 | GD44 |
海南省 | HN46 |
重慶市 | CQ50 |
四川省 | SC51 |
貴州省 | GZ52 |
雲南省 | YN53 |
陝西省 | SX61 |
甘肅省 | GS62 |
青海省 | QH63 |
黑龍江省 | HLJ23 |
西藏自治區 | XZ54 |
廣西壯族自治區 | GX45 |
內蒙古自治區 | NMG15 |
寧夏回族自治區 | NX64 |
新疆維吾爾自治區 | XJ65 |
中國台灣 | TW |
中國香港特別行政區 | HK |
中國澳門特別行政區 | MO |
海外地區編號
地區 | 編號 |
亞洲(中國除外) | ZC |
歐洲 | EU |
非洲 | AF |
北美洲 | NA |
南美洲 | LA |
大洋洲 | OA |
南極洲 | AQ |
傳回值
Fn::GetAtt
AclUuid:安全存取控制策略的唯一標識ID。
樣本
YAML格式
ROSTemplateFormatVersion: '2015-09-01'
Resources:
ControlPolicy:
Type: ALIYUN::CLOUDFW::ControlPolicy
Properties:
ApplicationName:
Ref: ApplicationName
DestPortType:
Ref: DestPortType
Direction:
Ref: Direction
AclAction:
Ref: AclAction
Description:
Ref: Description
Proto:
Ref: Proto
Destination:
Ref: Destination
Source:
Ref: Source
DestinationType:
Ref: DestinationType
NewOrder:
Ref: NewOrder
DestPortGroup:
Ref: DestPortGroup
DestPort:
Ref: DestPort
RegionId:
Ref: RegionId
SourceType:
Ref: SourceType
Parameters:
ApplicationName:
Type: String
Description: 'Application types supported by the security policy. The following
types of applications are supported: ANY, HTTP, HTTPS, MySQL, SMTP, SMTPS, RDP,
VNC, SSH, Redis, MQTT, MongoDB, Memcache, SSL. NOTE ANY indicates that the policy
is applied to all types of applications.'
AllowedValues:
- ANY
- HTTP
- HTTPS
- MQTT
- Memcache
- MongoDB
- MySQL
- RDP
- Redis
- SMTP
- SMTPS
- SSH
- SSL
- VNC
DestPortType:
Type: String
Description: 'Security access control policy access destination port traffic type.
port: Port group: port address book'
AllowedValues:
- group
- port
Direction:
Type: String
Description: 'Security access control traffic direction policies. in: internal
and external traffic access control. out: within the flow of external access
control'
AllowedValues:
- in
- out
AclAction:
Type: String
Description: 'Traffic access control policy set by the cloud of a firewall. accept:
Release. drop: rejected. log: Observation'
AllowedValues:
- accept
- drop
- log
Description:
MinLength: 1
Type: String
Description: Security access control policy description information.
Proto:
Type: String
Description: 'The type of security protocol for traffic access in the security
access control policy. Can be set to ANY when you are not sure of the specific
protocol type. Allowed values: ANY, TCP, UDP, ICMP'
AllowedValues:
- ANY
- ICMP
- TCP
- UDP
Destination:
MinLength: 1
Type: String
Description: 'Security Access Control destination address policy. When DestinationType
is net, Destination purpose CIDR. For example: 192.168.XX.XX/24. When DestinationType
as a group, Destination for the purpose of the address book name. For example:
db_group. When DestinationType for the domain, Destination for the purpose of
a domain name. For example:. * example.com. When DestinationType as location,
Destination area for the purpose (see below position encoding specific regions).
For example: [ "BJ11", "ZB"]'
Source:
MinLength: 1
Type: String
Description: 'Security access control source address policy. When SourceType for
the net, Source is the source CIDR. For example: 192.168.XX.XX/24. When SourceType
as a group, Source name for the source address book. For example: db_group.
When SourceType as location, Source source region (specific region position
encoder see below). For example, [ "BJ11", "ZB"]'
DestinationType:
Type: String
Description: 'Security Access Control destination address type of policy. net:
Destination network segment (CIDR). group: destination address book. domain:
The purpose domain. location: The purpose area'
AllowedValues:
- domain
- group
- location
- net
NewOrder:
Type: Number
Description: Security access control priority policy in force. Priority number
increments sequentially from 1, lower the priority number, the higher the priority.
Description -1 indicates the lowest priority.
MinValue: -1
DestPortGroup:
Type: String
Description: Security access control policy access traffic destination port address
book name. Description DestPortType is group, set the item.
DestPort:
Type: String
Description: Security access control policy access traffic destination port. Note
When DestPortType to port, set the item.
RegionId:
Default: cn-hangzhou
Type: String
Description: Region ID. Default to cn-hangzhou.
AllowedValues:
- cn-hangzhou
- ap-southeast-1
SourceType:
Type: String
Description: 'Security access control source address type of policy. net: Source
segment (CIDR). group: source address book. location: the source area'
AllowedValues:
- group
- location
- net
Outputs:
AclUuid:
Description: Security access control ID that uniquely identifies the policy.
Value:
Fn::GetAtt:
- ControlPolicy
- AclUuidJSON格式
{
"ROSTemplateFormatVersion": "2015-09-01",
"Resources": {
"ControlPolicy": {
"Type": "ALIYUN::CLOUDFW::ControlPolicy",
"Properties": {
"ApplicationName": {
"Ref": "ApplicationName"
},
"DestPortType": {
"Ref": "DestPortType"
},
"Direction": {
"Ref": "Direction"
},
"AclAction": {
"Ref": "AclAction"
},
"Description": {
"Ref": "Description"
},
"Proto": {
"Ref": "Proto"
},
"Destination": {
"Ref": "Destination"
},
"Source": {
"Ref": "Source"
},
"DestinationType": {
"Ref": "DestinationType"
},
"NewOrder": {
"Ref": "NewOrder"
},
"DestPortGroup": {
"Ref": "DestPortGroup"
},
"DestPort": {
"Ref": "DestPort"
},
"RegionId": {
"Ref": "RegionId"
},
"SourceType": {
"Ref": "SourceType"
}
}
}
},
"Parameters": {
"ApplicationName": {
"Type": "String",
"Description": "Application types supported by the security policy. The following types of applications are supported: ANY, HTTP, HTTPS, MySQL, SMTP, SMTPS, RDP, VNC, SSH, Redis, MQTT, MongoDB, Memcache, SSL. NOTE ANY indicates that the policy is applied to all types of applications.",
"AllowedValues": [
"ANY",
"HTTP",
"HTTPS",
"MQTT",
"Memcache",
"MongoDB",
"MySQL",
"RDP",
"Redis",
"SMTP",
"SMTPS",
"SSH",
"SSL",
"VNC"
]
},
"DestPortType": {
"Type": "String",
"Description": "Security access control policy access destination port traffic type. port: Port group: port address book",
"AllowedValues": [
"group",
"port"
]
},
"Direction": {
"Type": "String",
"Description": "Security access control traffic direction policies. in: internal and external traffic access control. out: within the flow of external access control",
"AllowedValues": [
"in",
"out"
]
},
"AclAction": {
"Type": "String",
"Description": "Traffic access control policy set by the cloud of a firewall. accept: Release. drop: rejected. log: Observation",
"AllowedValues": [
"accept",
"drop",
"log"
]
},
"Description": {
"MinLength": 1,
"Type": "String",
"Description": "Security access control policy description information."
},
"Proto": {
"Type": "String",
"Description": "The type of security protocol for traffic access in the security access control policy. Can be set to ANY when you are not sure of the specific protocol type. Allowed values: ANY, TCP, UDP, ICMP",
"AllowedValues": [
"ANY",
"ICMP",
"TCP",
"UDP"
]
},
"Destination": {
"MinLength": 1,
"Type": "String",
"Description": "Security Access Control destination address policy. When DestinationType is net, Destination purpose CIDR. For example: 192.168.XX.XX/24. When DestinationType as a group, Destination for the purpose of the address book name. For example: db_group. When DestinationType for the domain, Destination for the purpose of a domain name. For example:. * example.com. When DestinationType as location, Destination area for the purpose (see below position encoding specific regions). For example: [ \"BJ11\", \"ZB\"]"
},
"Source": {
"MinLength": 1,
"Type": "String",
"Description": "Security access control source address policy. When SourceType for the net, Source is the source CIDR. For example: 192.168.XX.XX/24. When SourceType as a group, Source name for the source address book. For example: db_group. When SourceType as location, Source source region (specific region position encoder see below). For example, [ \"BJ11\", \"ZB\"]"
},
"DestinationType": {
"Type": "String",
"Description": "Security Access Control destination address type of policy. net: Destination network segment (CIDR). group: destination address book. domain: The purpose domain. location: The purpose area",
"AllowedValues": [
"domain",
"group",
"location",
"net"
]
},
"NewOrder": {
"Type": "Number",
"Description": "Security access control priority policy in force. Priority number increments sequentially from 1, lower the priority number, the higher the priority. Description -1 indicates the lowest priority.",
"MinValue": -1
},
"DestPortGroup": {
"Type": "String",
"Description": "Security access control policy access traffic destination port address book name. Description DestPortType is group, set the item."
},
"DestPort": {
"Type": "String",
"Description": "Security access control policy access traffic destination port. Note When DestPortType to port, set the item."
},
"RegionId": {
"Default": "cn-hangzhou",
"Type": "String",
"Description": "Region ID. Default to cn-hangzhou.",
"AllowedValues": [
"cn-hangzhou",
"ap-southeast-1"
]
},
"SourceType": {
"Type": "String",
"Description": "Security access control source address type of policy. net: Source segment (CIDR). group: source address book. location: the source area",
"AllowedValues": [
"group",
"location",
"net"
]
}
},
"Outputs": {
"AclUuid": {
"Description": "Security access control ID that uniquely identifies the policy.",
"Value": {
"Fn::GetAtt": [
"ControlPolicy",
"AclUuid"
]
}
}
}
}